eBPF

What is eBPF?

• A mechanism for inserting custom, sandboxed logic into the Linux kernel
• eBPF functions can be written in Safe C or Rust
• eBPF functions can be attached to a huge amount of hooks inside syscalls and in the low layers of the networking stack
• eBPF opens up many interesting applications in
  • Security
  • Tracing & Profiling
  • Networking
  • Observability & Monitoring

eBPF for Security

• eBPF allows seeing and intercepting both system calls as well as any network activity.
• This allows for applications like
  • network firewalls
  • fine-grained system call level capability control
  • process context tracing
• ...all using the same technology and directly from within the Linux kernel.
• Dynamically insertable hooks within system calls also enable the creation of live patches for vulnerabilities that do not require a system upgrade and reboot.

eBPF for Tracing & Profiling

• eBPF programs can be attached to trace points both in the kernel and in user application.
  • This allows for unprecedented visibility into application and system runtime behavior.
• Introspection across kernel and user space enables better insights on system performance issues
• Kernel-native shared data structures allow for data collection far more efficient and without the need for huge amounts of sampling data collected via traditional profiling and tracing tools.

eBPF for Networking

• eBPF programs can be embedded into the network stack to enable
  • custom progocol parsers
  • forwarding / routing logic handled without leavcing the kernel context (or even running directly on the NIC) the NIC level
• In contrast to user space networking appliances, the execution performance is close to that of native kernel code.

eBPF for Observabilty & Monitoring

• eBPF allows for collection of custom metric instead of relying on counters provided by userspace OS tools.
• This both extends the depth of visibility as well as reduces the overhead of data collection